Merge branch 'release/v2023.0' into develop

2023-01-05 20:52:02 +01:00 · 2023-01-05 20:52:02 +01:00 · 64b10c1a59
commit 64b10c1a59
parent bdbf66c8e1 716a7dd9ea
4 changed files with 188 additions and 164 deletions
--- a/README.md
+++ b/README.md
@ -62,7 +62,7 @@ This way, you can start where you left off. If you remove the container, you nee
 Download the latest WebGoat release from [https://github.com/WebGoat/WebGoat/releases](https://github.com/WebGoat/WebGoat/releases)

 ```shell
-java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.1.jar
+java -Dfile.encoding=UTF-8 -Dwebgoat.port=8080 -Dwebwolf.port=9090 -jar webgoat-2023.0.jar
 ```

 Click the link in the log to start WebGoat.
@ -125,7 +125,7 @@ For instance running as a jar on a Linux/macOS it will look like this:
 ```Shell
 export EXCLUDE_CATEGORIES="CLIENT_SIDE,GENERAL,CHALLENGE"
 export EXCLUDE_LESSONS="SqlInjectionAdvanced,SqlInjectionMitigations"
-java -jar target/webgoat-2023.1-SNAPSHOT.jar
+java -jar target/webgoat-2023.0-SNAPSHOT.jar
 ```

 Or in a docker run it would (once this version is pushed into docker hub) look like this:
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@ -1,8 +1,8 @@
 # WebGoat release notes

-## Version 2023.1
+## Version 2023.0

-With great pleasure, we present you with a new release of WebGoat **2023.1**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).
+With great pleasure, we present you with a new release of WebGoat **2023.0**. Finally, it has been a while. This year starts with a new release of WebGoat. This year we will undoubtedly release more often. From this release on, we began to use a new versioning scheme (https://calver.org/#scheme).

 A big thanks to René Zubcevic and Àngel Ollé Blázquez for keeping the project alive this last year, and hopefully, we can make
 many more releases this year.
--- a/pom.xml
+++ b/pom.xml
@ -10,7 +10,7 @@
  </parent>
  <groupId>org.owasp.webgoat</groupId>
  <artifactId>webgoat</artifactId>
-  <version>2023.1</version>
+  <version>2023.0</version>
  <packaging>jar</packaging>

  <name>WebGoat</name>
--- a/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
+++ b/src/it/java/org/owasp/webgoat/GeneralLessonIntegrationTest.java
@ -2,185 +2,209 @@ package org.owasp.webgoat;

 import io.restassured.RestAssured;
 import io.restassured.http.ContentType;
+import java.util.HashMap;
+import java.util.Map;
 import org.hamcrest.CoreMatchers;
 import org.hamcrest.MatcherAssert;
 import org.junit.jupiter.api.Test;
-
-import java.util.HashMap;
-import java.util.Map;
-
+import org.springframework.util.StringUtils;

 public class GeneralLessonIntegrationTest extends IntegrationTest {

-    @Test
-    public void httpBasics() {
-        startLesson("HttpBasics");
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("person", "goatuser");
-        checkAssignment(url("HttpBasics/attack1"), params, true);
+  @Test
+  public void httpBasics() {
+    startLesson("HttpBasics");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("person", "goatuser");
+    checkAssignment(url("HttpBasics/attack1"), params, true);

-        params.clear();
-        params.put("answer", "POST");
-        params.put("magic_answer", "33");
-        params.put("magic_num", "4");
-        checkAssignment(url("HttpBasics/attack2"), params, false);
+    params.clear();
+    params.put("answer", "POST");
+    params.put("magic_answer", "33");
+    params.put("magic_num", "4");
+    checkAssignment(url("HttpBasics/attack2"), params, false);

-        params.clear();
-        params.put("answer", "POST");
-        params.put("magic_answer", "33");
-        params.put("magic_num", "33");
-        checkAssignment(url("HttpBasics/attack2"), params, true);
+    params.clear();
+    params.put("answer", "POST");
+    params.put("magic_answer", "33");
+    params.put("magic_num", "33");
+    checkAssignment(url("HttpBasics/attack2"), params, true);

-        checkResults("/HttpBasics/");
+    checkResults("/HttpBasics/");
+  }
+
+  @Test
+  public void httpProxies() {
+    startLesson("HttpProxies");
+    MatcherAssert.assertThat(
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .header("x-request-intercepted", "true")
+            .contentType(ContentType.JSON)
+            .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .path("lessonCompleted"),
+        CoreMatchers.is(true));
+
+    checkResults("/HttpProxies/");
+  }
+
+  @Test
+  public void cia() {
+    startLesson("CIA");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put(
+        "question_0_solution",
+        "Solution 3: By stealing a database where names and emails are stored and uploading it to a website.");
+    params.put(
+        "question_1_solution",
+        "Solution 1: By changing the names and emails of one or more users stored in a database.");
+    params.put(
+        "question_2_solution",
+        "Solution 4: By launching a denial of service attack on the servers.");
+    params.put(
+        "question_3_solution",
+        "Solution 2: The systems security is compromised even if only one goal is harmed.");
+    checkAssignment(url("/WebGoat/cia/quiz"), params, true);
+    checkResults("/cia/");
+  }
+
+  @Test
+  public void vulnerableComponents() {
+    if (StringUtils.hasText(System.getProperty("running.in.docker"))) {
+      String solution =
+          "<contact class='dynamic-proxy'>\n"
+              + "<interface>org.owasp.webgoat.lessons.vulnerablecomponents.Contact</interface>\n"
+              + "  <handler class='java.beans.EventHandler'>\n"
+              + "    <target class='java.lang.ProcessBuilder'>\n"
+              + "      <command>\n"
+              + "        <string>calc.exe</string>\n"
+              + "      </command>\n"
+              + "    </target>\n"
+              + "    <action>start</action>\n"
+              + "  </handler>\n"
+              + "</contact>";
+      startLesson("VulnerableComponents");
+      Map<String, Object> params = new HashMap<>();
+      params.clear();
+      params.put("payload", solution);
+      checkAssignment(url("/WebGoat/VulnerableComponents/attack1"), params, true);
+      checkResults("/VulnerableComponents/");
    }
+  }

-    @Test
-    public void httpProxies() {
-        startLesson("HttpProxies");
-        MatcherAssert.assertThat(RestAssured.given()
-                .when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
-                .contentType(ContentType.JSON)
-                .get(url("HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
-                .then()
-                .statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));
+  @Test
+  public void insecureLogin() {
+    startLesson("InsecureLogin");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("username", "CaptainJack");
+    params.put("password", "BlackPearl");
+    checkAssignment(url("/WebGoat/InsecureLogin/task"), params, true);
+    checkResults("/InsecureLogin/");
+  }

-        checkResults("/HttpProxies/");
-    }
+  @Test
+  public void securePasswords() {
+    startLesson("SecurePasswords");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("password", "ajnaeliclm^&&@kjn.");
+    checkAssignment(url("/WebGoat/SecurePasswords/assignment"), params, true);
+    checkResults("SecurePasswords/");

-    @Test
-    public void cia() {
-        startLesson("CIA");
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("question_0_solution", "Solution 3: By stealing a database where names and emails are stored and uploading it to a website.");
-        params.put("question_1_solution", "Solution 1: By changing the names and emails of one or more users stored in a database.");
-        params.put("question_2_solution", "Solution 4: By launching a denial of service attack on the servers.");
-        params.put("question_3_solution", "Solution 2: The systems security is compromised even if only one goal is harmed.");
-        checkAssignment(url("/WebGoat/cia/quiz"), params, true);
-        checkResults("/cia/");
+    startLesson("AuthBypass");
+    params.clear();
+    params.put("secQuestion2", "John");
+    params.put("secQuestion3", "Main");
+    params.put("jsEnabled", "1");
+    params.put("verifyMethod", "SEC_QUESTIONS");
+    params.put("userId", "12309746");
+    checkAssignment(url("/WebGoat/auth-bypass/verify-account"), params, true);
+    checkResults("/auth-bypass/");

-    }
-    
-    @Test
-    public void vulnerableComponents() {
-    	String solution = "<contact class='dynamic-proxy'>\n" + 
-    			"<interface>org.owasp.webgoat.lessons.vulnerablecomponents.Contact</interface>\n" +
-    			"  <handler class='java.beans.EventHandler'>\n" + 
-    			"    <target class='java.lang.ProcessBuilder'>\n" + 
-    			"      <command>\n" + 
-    			"        <string>calc.exe</string>\n" + 
-    			"      </command>\n" + 
-    			"    </target>\n" + 
-    			"    <action>start</action>\n" + 
-    			"  </handler>\n" + 
-    			"</contact>";
-    	startLesson("VulnerableComponents");
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("payload", solution);
-        checkAssignment(url("/WebGoat/VulnerableComponents/attack1"), params, true);
-        checkResults("/VulnerableComponents/");
-    }
-    
-    @Test
-    public void insecureLogin() {
-    	startLesson("InsecureLogin");
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("username", "CaptainJack");
-        params.put("password", "BlackPearl");
-        checkAssignment(url("/WebGoat/InsecureLogin/task"), params, true);
-        checkResults("/InsecureLogin/");
-    }
+    startLesson("HttpProxies");
+    MatcherAssert.assertThat(
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .header("x-request-intercepted", "true")
+            .contentType(ContentType.JSON)
+            .get(
+                url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .path("lessonCompleted"),
+        CoreMatchers.is(true));
+    checkResults("/HttpProxies/");
+  }

-    @Test
-    public void securePasswords() {
-        startLesson("SecurePasswords");
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("password", "ajnaeliclm^&&@kjn.");
-        checkAssignment(url("/WebGoat/SecurePasswords/assignment"), params, true);
-        checkResults("SecurePasswords/");
+  @Test
+  public void chrome() {
+    startLesson("ChromeDevTools");

-        startLesson("AuthBypass");
-        params.clear();
-        params.put("secQuestion2", "John");
-        params.put("secQuestion3", "Main");
-        params.put("jsEnabled", "1");
-        params.put("verifyMethod", "SEC_QUESTIONS");
-        params.put("userId", "12309746");
-        checkAssignment(url("/WebGoat/auth-bypass/verify-account"), params, true);
-        checkResults("/auth-bypass/");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("param1", "42");
+    params.put("param2", "24");

-        startLesson("HttpProxies");
-        MatcherAssert.assertThat(RestAssured.given().when().relaxedHTTPSValidation().cookie("JSESSIONID", getWebGoatCookie()).header("x-request-intercepted", "true")
-                .contentType(ContentType.JSON)
-                .get(url("/WebGoat/HttpProxies/intercept-request?changeMe=Requests are tampered easily")).then()
-                .statusCode(200).extract().path("lessonCompleted"), CoreMatchers.is(true));
-        checkResults("/HttpProxies/");
-    }
+    String result =
+        RestAssured.given()
+            .when()
+            .relaxedHTTPSValidation()
+            .cookie("JSESSIONID", getWebGoatCookie())
+            .header("webgoat-requested-by", "dom-xss-vuln")
+            .header("X-Requested-With", "XMLHttpRequest")
+            .formParams(params)
+            .post(url("/WebGoat/CrossSiteScripting/phone-home-xss"))
+            .then()
+            .statusCode(200)
+            .extract()
+            .path("output");
+    String secretNumber = result.substring("phoneHome Response is ".length());

-    @Test
-    public void chrome() {
-        startLesson("ChromeDevTools");
+    params.clear();
+    params.put("successMessage", secretNumber);
+    checkAssignment(url("/WebGoat/ChromeDevTools/dummy"), params, true);

-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("param1", "42");
-        params.put("param2", "24");
+    params.clear();
+    params.put("number", "24");
+    params.put("network_num", "24");
+    checkAssignment(url("/WebGoat/ChromeDevTools/network"), params, true);

-        String result =
-                RestAssured.given()
-                        .when()
-                        .relaxedHTTPSValidation()
-                        .cookie("JSESSIONID", getWebGoatCookie())
-                        .header("webgoat-requested-by", "dom-xss-vuln")
-                        .header("X-Requested-With", "XMLHttpRequest")
-                        .formParams(params)
-                        .post(url("/WebGoat/CrossSiteScripting/phone-home-xss"))
-                        .then()
-                        .statusCode(200)
-                        .extract().path("output");
-        String secretNumber = result.substring("phoneHome Response is ".length());
+    checkResults("/ChromeDevTools/");
+  }

-        params.clear();
-        params.put("successMessage", secretNumber);
-        checkAssignment(url("/WebGoat/ChromeDevTools/dummy"), params, true);
+  @Test
+  public void authByPass() {
+    startLesson("AuthBypass");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("secQuestion2", "John");
+    params.put("secQuestion3", "Main");
+    params.put("jsEnabled", "1");
+    params.put("verifyMethod", "SEC_QUESTIONS");
+    params.put("userId", "12309746");
+    checkAssignment(url("/auth-bypass/verify-account"), params, true);
+    checkResults("/auth-bypass/");
+  }

-        params.clear();
-        params.put("number", "24");
-        params.put("network_num", "24");
-        checkAssignment(url("/WebGoat/ChromeDevTools/network"), params, true);
-
-        checkResults("/ChromeDevTools/");
-    }
-    
-    @Test
-    public void authByPass() {
-        startLesson("AuthBypass");
-        Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("secQuestion2", "John");
-        params.put("secQuestion3", "Main");
-        params.put("jsEnabled", "1");
-        params.put("verifyMethod", "SEC_QUESTIONS");
-        params.put("userId", "12309746");
-        checkAssignment(url("/auth-bypass/verify-account"), params, true);
-        checkResults("/auth-bypass/");
-
-    }
-    
-    @Test
-    public void lessonTemplate() {
-    	startLesson("LessonTemplate");
-    	Map<String, Object> params = new HashMap<>();
-        params.clear();
-        params.put("param1", "secr37Value");
-        params.put("param2", "Main");
-        checkAssignment(url("/lesson-template/sample-attack"), params, true);
-        checkResults("/lesson-template/");
-    	
-    }
-    
+  @Test
+  public void lessonTemplate() {
+    startLesson("LessonTemplate");
+    Map<String, Object> params = new HashMap<>();
+    params.clear();
+    params.put("param1", "secr37Value");
+    params.put("param2", "Main");
+    checkAssignment(url("/lesson-template/sample-attack"), params, true);
+    checkResults("/lesson-template/");
+  }
 }